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-- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). 'in no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing' date of this communication/ even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )^ Responsive to communication(s) filed on 05 September 2007 . 
2a)^ This action is FINAL 2b)Q This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) £3 Claim(s) 1-10 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-10 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction andfor election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on 17 October 2003 is/are: a)S accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) ^ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
bM AH b)Q Some * c)Q None of: 

1. E3 Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . Applicant's arguments filed September 5, 2007, have been fully considered. 

2. Claims 1-10 are pending and have been examined. 

Response to Amendment 

3. Regarding Applicant's argument against the Shah reference, Exmainer 
respectfully submits that the prior art reference is capable of performing as claimed, 
therefore it anticipates the claim. Shah associates users, objects, and resources for 
performing policy enforcement, what subset of resources (objects) and users (subjects) 
are associated is irrelevant, since Shah already teaches associating the plurality of 
entities (objects, subjects, users, programs, devices) to perform access policy functions. 
Applicant's arguments are not persuasive. 

Allowable Subject Matter 

4. The following is an examiner's statement of reasons for allowance: 

- claims 1-4 would be allowable; 

- regarding independent claims 1 and 3, the prior art of record neither alone nor 
in combination teach 

- "a policy creation unit for creating a draft policy based on said sample policy, 
said association information, and said differences detected by said differential 
detection unit; and a user interface unit for presenting said draft policy to the 
user, revising said draft policy as directed by the user, and saving the revised 
policy as the final policy" in combination with the other limitations recited in 
independent claims 1 and 3; 
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- claims 2 and 4 are allowed because of their dependence from independent 
claims 1 and 3. 

5. Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Claim Rejections - 35 USC § 102 

6. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

7. Claims 5-7 are rejected under 35 U.S.C. 102(e) as being anticipated by Shah 
et al. (US Patent 6,678,835, hereinafter Shah). 

Regarding claim 5, Shah teaches 

a policy setting support tool for creating, in a computer system equipped 
with an access control unit that controls access to computer-managed 
resources based on policies, said policy setting support tool comprising 
(abstract): 

an information database holding, for each object of access, association 
information representing subjects that are used as a unit of access to the 
object (col. 6, lines 13-42), and 

a unit for creating a policy from the association information held in said 
information database (col. 7, lines 45-65). 
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Regarding claim 6, Shah teaches a subject-specifying unit for specifying unit of 
access to the object according to its purpose (Shah, col. 6, lines 12-42), and a unit for 
creating said policy while designating the program specified by said subject-specifying 
unit as the subject that is permitted to access multiple kinds of object that are included 
in the association information (Shah, col. 7, lines 45-65). 

Regarding claim 7, Shah teaches wherein said computer system includes a 
collection of identifications of the subjects equipped with an object-sharing handling unit 
for sharing objects that are included in the association information among multiple 
subjects and a collection of object-sharing information listing the types of object that can 
be accessed by each subject, said policy setting support tool further comprising a unit 
for creating a policy that permits all or some of the types of access from a subject 
registered in said collection of object-sharing information to objects available to said 
subject (Shah, col. 6, lines 12-42, col. 7, lines 45-65, col. 9, lines 1-67). 

Claim Rejections - 35 USC § 103 

8. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

9. Claims 8-10 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shah, and further in view of Heintz et al. (US Patent Application Publication 
2006/001 0492, hereinafter Heintz). 

Regarding claim 8, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 
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However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts violating said policy, for notifying the user of said computer system 
administering objects to be accessed about said access attempts with reason for 
violating the policy, and for carrying out a process based on a judgment made by said 
user in response to the notification, wherein: said judgment made by said user is a 
choice between thereafter permitting all of said access attempts violating said policy, 
permitting said access attempt only this time, and prohibiting all of said access attempts 
violating said policy; in case said judgment made by said user is to thereafter permit all 
of said access attempts violating said policy, said process is to revise said policy so as 
to make said access attempts legitimate and to notify said access control unit of the 
legitimacy of said access attempts; in case said judgment made by said user is to 
permit said access attempt only this time, said process is to notify said access control 
unit of the legitimacy of said access attempt, without revising said policy; and in case 
said judgment made by said user is to prohibit all of said access attempts violating said 
policy, said process is to notify said access control unit of the illegitimacy of said access 
attempts, without revising said policy (abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 
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Regarding claim 9, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 

However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts to an object not registered in the collection of said policies coming 
from a subject associated with said object, for notifying the user of said computer 
system about said access attempts, and for carrying out a process based on a judgment 
made by said user in response to the notification, wherein: said judgment made by said 
user is a choice between permitting and prohibiting said access attempt made to said 
object not registered in the collection of said policies coming from a subject associated 
with said object; in case said judgment made by said user is to permit said access 
attempt, said process is to revise said policy so as to make said access attempt 
legitimate and to notify said access control unit of the legitimacy of said access attempt; 
and in case said judgment made by said user is to prohibit said access attempt, said 
process is to notify said access control unit of the illegitimacy of said access attempt, 
without revising said policy (abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 

Regarding claim 10, Shah does not expressly disclose notifying violations and 
modifying the policy accordingly. 
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However, Heintz teaches a unit for being notified by said access control unit of 
any access attempts coming from a subject which only partially matches the collection 
of said policies, for notifying the user of said computer system about said access 
attempts, and for carrying out a process based on a judgment made by said user in 
response to the notification, wherein: said judgment made by said user is a choice 
between permitting and prohibiting said access attempt made by said subject; in case 
said judgment made by said user is to permit said access attempt, said process is to 
revise said policy so as to make said access attempt legitimate and to notify said 
access control unit of the legitimacy of said access attempt; and in case said judgment 
made by said user is to prohibit said access attempt, said process is to notify said 
access control unit of the illegitimacy of said access attempt, without revising said policy 
(abstract). 

Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to modify Shah to include raising alerts when specific 
events occurred. One of ordinary skill in the art would have been motivated to perform 
such a modification to provide for a faster response to events and enforce security 
policies (Heintz, paragraphs 6-8). 

Conclusion 

10. Examiner's Note: Examiner has cited particular columns and line numbers in the 
references as applied to the claims below for the convenience of the applicant. Although 
the specified citations are representative of the teachings in the art and are applied to 
the specific limitations within the individual claim, other passages and figures may apply 
as well. It is respectfully requested that the applicant, in preparing the responses, fully 
consider the references in entirety as potentially teaching all or part of the claimed 
invention, as well as the context of the passage as taught by the prior art or disclosed 
by the examiner 
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1 1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no' event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

12. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Venkatesan (NPL Threat-Adaptive Security Policy) teaches 
keeping history of user accesses and adapting policy according to changes in the usage 
pattern. Moriconi (US Patent 6,158,010 and 6,941,472) teaches 
creating/editing/updating policies. Attwood (US Patent 6,347,376) teaches dynamic 
rules of a security policy. Proctor (US Patent 6,530,024) teaches adaptive security 
policies that are updated based on behavior analyzed from event log files that trigger 
policy updates 

1 3. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to whose telephone number is (571 )272-5861 . The 
examiner can normally be reached on Monday-Tuesday and Thursday-Friday. 

14. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571)272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

15. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/David Garcia Cervetti/ 




